Hello, all
The prevention of DNS zone transfers on a Windows NT 4.0 DNS server is done
on a zone by zone basis, and can be done from the DNS console (see knowledge
base article Q193837)
Right click on the zone you wish to protect, and click on the Notify tab.
Add the servers that are secondary to your main server by IP address in the
box, and then check "Only Allow Access From Secondaries Included on Notify
List." This will cause the Windows NT 4.0 server to send a NOTIFY request
with the updated records for that zone to the servers listed in the list,
and prevent zone transfers from every other server, including nslookups.
Remember, older BIND servers do not accept the NOTIFY request, and may reply
with an error message.
In terms of the MS DNS Zone Transfer Exploit, I'm not sure what version of
DNS you are using. There are some known issues of older BIND servers getting
more information than they should, and some other strangeness with the way
MS-DNS does tcp/53 transfers by default with all records included...
Try the following Microsoft KB articles for Registry keys that pertain to
DNS.
Windows NT 4.0 DNS
Q198408
Q198409
Q198410
There are known problems with SVR, AAAA and ATMA records between NT 4.0 and
Windows 2000 DNS servers.
Q203009
I guess you're going to need to be more specific, please. What have you seen
that makes you think there might be an exploit? Has there been some Event
Log output that seems strange? Or a SNORT dump that is odd?
Seamus Hartmann
Senior Network Engineer
Fuji Film eSystems
-----Original Message-----
From: Alex Raitz [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 10, 2001 8:38 PM
To: Stacy M. Williams; [EMAIL PROTECTED]
Subject: RE: MS DNS Zone Transfer Exploit
nslookup can perform zone transfers. Syntax:
c:\>nslookup <domain.com>
-default server: <corp-dns.domain.com>
-address: 196.254.0.1
>ls -d <domain.com>
This will allow a zone transfer (no null session needed) unless (in 2000)
Services and Applications\DNS\[server name]\Forward Lookup
Zones\[zone-name]\properties, then zone transfers tab, "Allow zone
transfers" checked and "to any server" is not radioed. In NT 4.0, this
function is performed I believe with a registry hack in the DNS services
area, not sure of the specifics, though.
-----Original Message-----
From: Stacy M. Williams [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 10, 2001 6:13 PM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: MS DNS Zone Transfer Exploit
Is anyone aware of a Microsoft DNS Zone Transfer Exploit
that would allow a forced zone transfer within DNS?
Any information available, or security alert on the subject
would be very helpful.
Thanks.
Stacy
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
